Splunk Enterprise Security

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

ajaylowes
Path Finder

Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API

For starters, i need to pull the information from the investigation panel so that i can run the python script to push the data to the API.

0 Karma

LukeMurphey
Champion
0 Karma

ajaylowes
Path Finder

@LukeMurphey For some strange reason, i dont see any event_id in my notable index.
Secondly, i want to fetch the notable info(not update the notable).

Can you please help me out

0 Karma

lakshman239
Influencer

if you run the notable macro search, you should see rule_id and event_id [ they are the same fields]

`notable` | table _time , source, event_id, rule_id
0 Karma

lakshman239
Influencer

Thanks @LukeMurphey for the links, but not seeing info related to Investigations performed against notables. Am I missing something?

0 Karma

LukeMurphey
Champion

I might have mistakenly assumed that "investigation" was a reference to a notable. If so, then my answer is incorrect.

@ajaylowes: could you clarify if you mean a notable event (what you see on Incident Review) or an investigation (what you see on the "Investigations" page)?

0 Karma

ajaylowes
Path Finder

@LukeMurphey This is what we see on the "investigation" page

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...